Most of the time, there's no excuse for not patching servers in a timely fashion. It may be annoying, or difficult, or you may have to inconvenience your users or come in at midnight on a weekend, but you can still get them patched. Sometimes though, there are systems that are critical and that really need to be available for extended periods of time. Sometimes, you may be responsible for servers that run complex applications that require a specific OS configuration, and you just can't run the risk of applying patches or service packs, which could break the application. This is especially annoying because some service packs or components thereof can't be uninstalled. And in many cases, the device in question is really an "appliance" that gives you no access to the OS configuration, so patching is not an option.

In cases like these, there are a few things you can do to mitigate the risk of these important servers succumbing to the next worm or virus, or being unnecessarily exposed to hackers. Which option you choose will probably depend on what type of applications your server is supporting, and your budget. Most of the options fall under a general strategy of pushing "security" out in to the network, to create some sort of perimeter around the server and application.

First, the obvious: firewalls. If your application allows, you can put a firewall on your internal LAN to separate the users from the device. This is generally pretty effective.